CastleCops® - Do Security Companies Create Monsters?

Do Security Companies Create Monsters?

By Sarah Fraser
NewsFactor Network
July 22, 2003
http://www.newsfactor.com/perl/story/21942.html

Security software companies try to create a need for [vendor solutions], says Frost & Sullivan security analyst Jason Wright. That's how capitalism works. But do some go too far?
Everyone who has used a computer at one time or another has received a forwarded message with a questionable-looking subject line. Even those who are conscientious about basic security -- and normally would not open a message referencing an .exe file -- might do so if the e-mail came from a known source. Occasionally, that choice can result in more than consternation, when it turns out the message is not what it appears to be.
Perhaps it carries a virus. That, undoubtedly, is the worst-case scenario. But what if it is nothing more than a marketing ploy, demonstrating to recipients that it could have been a bug?

This is the question: Is such a warning nothing more than a scare tactic by the security-software vendor that sent it -- not so subtly promoting its own service offerings? Or is it helpful education for the public? Or both?

The answer, it seems, depends on whom you ask.

Five years ago, I used to advise companies to take a stronger approach, Frost & Sullivan security analyst Jason Wright told NewsFactor. But they wouldn't -- saying, 'We don't want to use scare tactics, because we want to position ourselves as enablers of secure technology.' I've watched these companies be very conservative, but the threats they do advertise are very real.

To prove the pervasive nature of security threats, Wright went into his own office and broke into my computer at home, turned on my webcam, and saw my bedroom. You have to show people a little bit about these threats, which are very valid, he says.

Capitalism at Work?

Security software companies try to create a need for [vendor solutions], says Frost & Sullivan security analyst Jason Wright. That's how capitalism works. But do some go too far?

The idea that security companies hype threats has become a running gag. At the end of some Gartner seminars, says John Pescatore, a Gartner security analyst, we make projections for the industry in one hundred years, such as, 'In 2103, Symantec and McAfee admit they wrote all those viruses.'

Jokes aside, industry vendors, not surprisingly, say they are innocent of charges of exaggerating security threats for profit. They say they provide a vital service.

How many large [virus] outbreaks have we seen in the last two years? Trend Micro's Joe Hartmann asks. If we ignore Slammer, we have not had a big virus outbreak this year, he told NewsFactor.

In order for a virus to be really successful, it has to infect large corporations, Hartmann explained. However, since vendors already provide a solution within a few minutes, most viruses are blocked at the gateway level instantly, and corporate users never receive infected attachments in their e-mail.

Crossing the Line

There are reports of a few vendors that not only hype threats for profit but even go so far as to blackmail corporations. That practice is more common outside the U.S. and Europe and tends to involve obscure firms, industry observers say.

Some small consultancies have crossed the line from [being] ambulance chasers to causing the accident, Pescatore told NewsFactor.

This strategy does not work -- by and large -- in the U.S. and Europe, he said. There's a lot of self-policing in the security market. It's still kind of a best-of-breed place that doesn't reward that behavior.

Still, security corruption has infiltrated the financial industry, according to Pescatore. For example, he told of one vendor that threatened to release private financial data unless its services were bought. That was no different from any other form of extortion, Pescatore said. But these days, that sort of thing happens more often in other countries, such as Russia, he noted.

With the entire world sharing a global Internet, is there cause for worry -- even if it is true that North American and European security vendors generally adhere to a high code of ethics? I don't think we need to be concerned that U.S. companies will buy from shady companies elsewhere, Pescatore said. Companies have learned from what happened to the financial industry in the past few years, he remarked.


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 140ppm 0.154s (0.01s) Making cybercriminals unhappy since 2002*